Security

Hello All, 

I am currently working through a ClearPass LAB, and everything has gone smoothly until I try to integrate the OnGuard portion. I am running CPPM  6.12.0.300732 on CLABV. 

My objective is to Authenticate utilizng EAP-TLS via Cisco Switch (this works wonderfully), grab a posture check, bounce/terminate the session, and utilize the posture status to drop the user into a specific VLAN. 

Independently, these checks both work without issue. I am running the Agent-based unit. I see a good auth in the Tracker for the 802.1x and the WebAuth OnGuard comes shortly after. In my WebAuth enforcement, I have it set to enforce a bounce for anything posture-related. I have tried multiple methods to force any type of bounce but I can not see any attempt. I do have Wireshark in multiple spots, and I never see CPPM attempt to push that CoA. 

Below is a summary of what I have configured

802.1x Summary

My Idea here and I could be wrong is if the device has a posture status the policy can take the correct action if it's unknown let it hang out and run the posture check

the fail and pass profiles return a VLAN number         

The WebAuth/Posture policy is configured as follows

The Enforcement I  currently have in place is to terminate the session no matter what.  I have also tried to bounce, disable, and re-authenticate tied to specific posture values with no luck.

I see that both services are hit and complete in the Tracker, but I do not get any action from the WebAuth

I have realized that the Webauth uses a separate endpoint/MAC address that does not exist in the switch table. 

I did change the global setting to utilize the username, but that, unfortunately, did not change the behavior.

I am stuck here, and I can not seem to get it to operate as I intend. Am I missing something, or is my understanding completely off on how this is supposed to operate? 

I can provide anything more that may help in diagnosing/resolving. Thanks in advance for any support! 

Have you verified that RADIUS CoA is working to the switch? You can test bouncing the clients session by using the "change status" button in the access tracker entry for the current session. If that doesn't work, then the cisco config would need some attention. Maybe the L4 port is wrong? You could also try using the agent bounce instead, which send the bounce to the OnGuard client itself instead of the switch. It will disable and enable the interface on the device.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Jun 19, 2024 10:53 AM
From: Bkoelling
Subject: ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue

Hello All, 

I am currently working through a ClearPass LAB, and everything has gone smoothly until I try to integrate the OnGuard portion. I am running CPPM  6.12.0.300732 on CLABV. 

My objective is to Authenticate utilizng EAP-TLS via Cisco Switch (this works wonderfully), grab a posture check, bounce/terminate the session, and utilize the posture status to drop the user into a specific VLAN. 

Independently, these checks both work without issue. I am running the Agent-based unit. I see a good auth in the Tracker for the 802.1x and the WebAuth OnGuard comes shortly after. In my WebAuth enforcement, I have it set to enforce a bounce for anything posture-related. I have tried multiple methods to force any type of bounce but I can not see any attempt. I do have Wireshark in multiple spots, and I never see CPPM attempt to push that CoA. 

Below is a summary of what I have configured

802.1x Summary

My Idea here and I could be wrong is if the device has a posture status the policy can take the correct action if it's unknown let it hang out and run the posture check

the fail and pass profiles return a VLAN number         

The WebAuth/Posture policy is configured as follows

The Enforcement I  currently have in place is to terminate the session no matter what.  I have also tried to bounce, disable, and re-authenticate tied to specific posture values with no luck.

I see that both services are hit and complete in the Tracker, but I do not get any action from the WebAuth

I have realized that the Webauth uses a separate endpoint/MAC address that does not exist in the switch table. 

I did change the global setting to utilize the username, but that, unfortunately, did not change the behavior.

I am stuck here, and I can not seem to get it to operate as I intend. Am I missing something, or is my understanding completely off on how this is supposed to operate? 

I can provide anything more that may help in diagnosing/resolving. Thanks in advance for any support!